Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

It seems that not only Uncle Google who loves to messing around with our privacy. I really have no idea at what's the benefit for Microsoft to do this. Google --> ads. Microsoft? I have no clue at what they're planning.

It seems that not only Uncle Google who loves to messing around with our privacy. I really have no idea at what's the benefit for Microsoft to do this. Google --> ads. Microsoft? I have no clue at what they're planning.

Actually it is to keep you safe. This is an automated system you've probably heard of before, SmartScreen. This isn't someone "reading" your messages, total FUD article.

SmartScreen is implemented in various Microsoft services including Windows itself and is a great security feature especially for the average Joe's that just click links without a thought. This is how "Skype malware" propagates and this is exactly what they're trying to prevent.

FYI, Windows Live Messenger also did the same thing. Let's not stop that from having a good rant though.

A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.

Click to expand...

More complete and utter FUD, who says malware and phishing can't be on HTTPS pages? Are AV companies implementing SSL scanning for the lulz? The article author is an idiot.

FYI, it only scans links, not all chat messages like the article attempts to imply...

This is an automated system you've probably heard of before, SmartScreen.

Click to expand...

That might be true, but is there evidence to substantiate it? It seems to me that those who are interested in this would try to rule out server side snooping and then zero in any client side mechanism that is involved. So for starters:

1) Assure that Smartscreen is disabled on both of the machines Skyping
2) Someone should send, via Skype, a unique *unlikely to have been previously seen by Microsoft's Smartscreen servers* URL and *one that is not associated with a major site that could possibly be whitelisted* to the other. To play it safe don't even visit that URL from either machine that is Skyping.
3) Watch server logs for hours/days to see if a Microsoft server or other unexpected party requests the URL.

Then look for and play around with client side config options to see what it takes to disable the behavior. It would be extremely sad/bad if one can't exert fine-grained control over SmartScreen, Skype, etc. For example, configure things so that the sending of URLs via Skype *doesn't* cause them to be sent to Microsoft but browsing with IE does (unless you've created an exclusion for the site/URL in question).

There are some valid points inside the article (based on the assumption that they really tested it; I didn't make any tests myself):

1. Microsoft automatically reads the content of all messages in order to determine if the message contains a link. This doesn't mean that someone from MS actually reads all your messages, but it is still a privacy problem (i.e. if this is possible, what keeps them from reading other type of content as well, or even store that on their servers?).
2. Microsoft reads HTTPS links, but not HTTP links. Spammers can use both, so why discriminating between them?
3. Microsoft doesn't read the site contents (uses HTTP HEAD), and the article points out correctly that this is not exactly a scientific method to check for spam.
4. The request to the site in question is made after the fact, meaning that it doesn't protect the user in any way from clicking a spam link that appears in one of the messages.

So, in my opinion, if these points are correct, Microsoft built a "spam protection" system that is both ineffective and a threat to privacy.

Microsoft doesn't normally discuss the details of its security infrastructure. However, I’m reasonably certain that address is part of Microsoft’s SmartScreen infrastructure, which the company uses to identify suspicious and dangerous URLs so that it can block malware, phishing sites, and spam in Internet Explorer, Outlook.com, and other Microsoft services. Presumably, Skype picked up SmartScreen filtering when it took over the functions previously handled by Windows Live Messenger.

Click to expand...

Heise Security was skeptical of that explanation. Wouldn’t Microsoft/Skype have to look at the contents of a given page to determine whether it’s a phishing site or spam? No. Microsoft’s SmartScreen technology works by examining the reputation of a host, and it uses a wide range of markers to assess that reputation.

Click to expand...

In short, Microsoft’s explanation checks out. If you share a URL in a Skype instant message, there’s a possibility (not a guarantee, just a chance) that a SmartScreen server will ask for more information about the server from which that URL originated. It will then use that information to help determine whether that link is legit.

There’s no evidence that anyone, human or machine, is reading your confidential messages.

Ed never saw an MS 'anything' that he didn't love, IMO. I wonder what he thinks about the new MS/NYPD Surveillance System? You could test this out another way. Start a text session about an illegal drug deal, pointing to a price list on a website you created that is named something like -> the drug prices dot com <-. See if that gets any visits.

Ed never saw an MS 'anything' that he didn't love, IMO. I wonder what he thinks about the new MS/NYPD Surveillance System? You could test this out another way. Start a text session about an illegal drug deal, pointing to a price list on a website you created that is named something like -> the drug prices dot com <-. See if that gets any visits.

There’s no evidence that anyone, human or machine, is reading your confidential messages.

Interesting comment by Ed Bott.

If nothing is reading, then how would it know what to look for? It needs to parse the content to check for some string that looks like a valid URL, doesn't it?

If nothing is parsing, then nothing is checking URLs. If something is checking URLs, then something is parsing. If something is parsing, then something is reading.

It doesn't take much science to figure it out.

But, anyway, is it me or Ed Bott also had some "interesting" articles in the past?

Click to expand...

Without reading whatever article Mr. Bott wrote, I can already determine he's a clueless imbecile. Would he care to explain how ads in Gmail work then? Would he care to explain why it is Google flat out has said their systems scan content of emails to provide said ads?

Would he care to explain how online stings/investigations work? What about DNS queries, "This page contains malware" blocking? Does he think little sprites sprinkle fairy dust around and magic happens?

An interesting followup by H-Online... -http://www.h-online.com/security/features/Skype-s-ominous-link-checking-facts-and-speculation-1865629.html

They mention something I wasn't aware of, especially because I don't use Skype, and that's the fact that, if this is all about SmartScreen, then how come the user has no option to disable it, and there's no mention of it, just like we know it exists for IE/Explorer (Windows and that can be disabled?

Also, it seems that it took some hours for the URL to be checked, so quite hard to be related to SmartScreen. Otherwise, like HO mentions, it would be pretty much useless to work like that.

You couldn't disable it in Messenger either, I don't see the issue. You're using one of their services (which has a bad issue with spreading spam and malware links) so they have the right to check URLs for spam. IE/Windows is software you've bought not an online service.

This is similar to complains about CCTV on trains to stop vandalism IMO. You're using someone else's service.

There's also the fact that the Skype team and the Microsoft teams are still pretty damn disconnected. There are Messenger features missing from Skype that will probably take months to gradually be introduced.

Clicking through that latest H-Online article to http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html I notice that someone tested this with the sender using a Skype client on Ubuntu and the receiver using a Skype client on MAC OS X. Although the description isn't definitive, that makes it seem more likely that the URLs weren't getting phoned home by other software (such as SmartScreen functionality in IE/AV/OS) and instead 1) the Skype client software is harvesting and forwarding things, and/or 2) a Skype server is harvesting things.

Skype will retain your information for as long as is necessary to: (1) fulfill any of the Purposes (as defined in article 2 of this Privacy Policy) or (2) comply with applicable legislation, regulatory requests and relevant orders from competent courts.

Your instant messaging (IM), voicemail, and video message content (collectively “messages”) may be stored by Skype (a) to convey and synchronize your messages and (b) to enable you to retrieve the messages and history where possible. Depending on the message type, messages are generally stored by Skype for a maximum of between 30 and 90 days unless otherwise permitted or required by law. This storage facilitates delivery of messages when a user is offline and to help sync messages between user devices. For IM, if you have linked your Skype and Microsoft accounts, you may have the option to choose to store your full IM history for a longer period. In that case, your IMs may be stored in your Outlook.com Messaging folder until you manually delete them. For Video messages, you may also choose to store messages for an extended period if the sender is a Premium Member.

Skype will take appropriate technical and security measures to protect your information. By using this product, you consent to the storage of your IM, voicemail, and video message communications as described above.

Click to expand...

bits from http://www.skype.com/en/legal/privacy suggests to me that it is probably #2 and a Skype server that is doing it. It also sounds as though it isn't just URLs but all such message content that is at risk of being datamined by Microsoft and used for the variety of secondary purposes mentioned in section #2 of that privacy policy (which has some extremely broad clauses).

You couldn't disable it in Messenger either, I don't see the issue. You're using one of their services (which has a bad issue with spreading spam and malware links) so they have the right to check URLs for spam. IE/Windows is software you've bought not an online service.

Click to expand...

Checking the URLs for spam/malware links is one thing, and something the user should have an option to disable for private information.

Also, what kind of protection does it offer if it only "checks" the URL a few hours later? Makes no sense, of whatsoever.

This is similar to complains about CCTV on trains to stop vandalism IMO. You're using someone else's service.

Click to expand...

Some trains have bathrooms. Would you be OK with them monitoring you while in there? No, that's your "private" moment. I'd relate this to HTTPS, which is for privacy/security, not for breaking it.

It's like malls, etc., they all have cameras, which is OK. But, there's a limit, and that limit is that cameras can't be everywhere, because there's still the right to privacy, and this privacy can't be breached for the sake of security, at least not in a democratic society. Unfortunately, in some places it's broken, for the sake of security.

Anyway, the day people stop caring, corporations/etc can do whatever they want. I don't like this, and hopefully I won't live long enough to see most of the freedom I still got to go down the drain.

I'm really offtopic here, but CCTV (or any other form of surveillance) doesn't stop anything, it just makes catching the perpetrators easier.

Click to expand...

That's incorrect. It's for reducing the likelyhood that it will happen, and it DOES work. A great example of this is speed cameras. Why do you think it's legal to download speed camera locations for your Sat Nav device? They don't exist to catch people, they exist to make people obey the speed limit. I don't know about you, but I slow down every time I hear that beep.

m00nbl00d said:

Checking the URLs for spam/malware links is one thing, and something the user should have an option to disable for private information.

Also, what kind of protection does it offer if it only "checks" the URL a few hours later? Makes no sense, of whatsoever.

Click to expand...

Where is your evidence of "hours later"?
This argument is entirely flawed the same way as AVs add protection for threats "hours later" and browsers add protection against URLs "hours later".

m00nbl00d said:

Some trains have bathrooms. Would you be OK with them monitoring you while in there? No, that's your "private" moment. I'd relate this to HTTPS, which is for privacy/security, not for breaking it.

Click to expand...

Oh please, Skype isn't advertised as "HTTPS chat". The only thing "HTTPS" about this is the link that was chosen to be sent. So I have no idea where you're factoring privacy into this or how it's being "violated".

It's for reducing the likelyhood that it will happen, and it DOES work.

Click to expand...

While I agree with you 100% that using surveillance cameras does help in deterring people to do all kind of bad things, I still stand by what I said earlier: it's not the camera that stops you from doing something wrong, it's a psychological feedback mechanism that does it. If that mechanism is broken (i.e. you don't care about consequences of your action), then the camera won't stop you.

They should start putting actual slavery obligations into EULA's for free services. "Use this, and you have to work for free, for us, for 1 hour". Hey, it's free, why the complaining? Whatever happened to "It's just not right to do"? Hey, you're in public...I can take pictures of your little kids, all day long...stay in your house if you don't like it... World going to heck in a hand basket.